Bug Description

qutebrowser 1.0.0 to 1.4.0 allows websites to change configuration settings via the qute://settings page by using CSRF. E.g. via the editor setting, this can very likely lead to a remote code execution. This has been fixed in 1.4.1 uploaded to Debian Unstablea few hours ago. Patches for earlier releases are available upstream.